跨境数据传输清单

最后更新：2026年5月20日

单独同意条款：本清单连同《隐私政策》§6 共同构成《中华人民共和国个人信息保护法》第三十九条对您个人信息出境的告知与单独同意条款。您勾选同意《隐私政策》即视为对本清单所列出境行为的单独同意。您可通过注销账号或关闭对应功能撤回同意。

1. 出境总体说明

本服务的核心后端、用户数据库、对象存储均部署于中国大陆境内（阿里云华东1（杭州）/华东2（上海）地域）。绝大多数个人信息存储与处理均在境内完成，不出境。本清单列举的，是为实现 Apple、Google、Spotify 等海外服务所必然涉及的、最小必要范围的跨境传输。

2. 接收方清单

序号	出境数据	接收方	接收方所在国/地区	处理目的	接收方保留期	法律基础	是否可关闭
1	APNs device token + 通知文案（标题、正文、deeplink）	Apple Inc.	美国	iOS 推送投递	由 Apple 按其隐私政策保留	合同必需 + 单独同意	系统设置中关闭通知
2	FCM token + 通知文案	Google LLC	美国	Android 国际版推送投递	由 Google 按其隐私政策保留	合同必需 + 单独同意	同上
3	Apple Music storefront 标识、查询参数	Apple Inc. / Apple Music Catalog API	美国	获取专辑、曲目、艺术家元数据	Apple 端短期日志	合同必需 + 单独同意	不使用播放/曲库即不传输
4	MusicKit 用户 Token、播放/曲库操作	Apple Music	美国	Apple Music 播放	由 Apple 按其隐私政策保留	合同必需 + 单独同意	不连接 Apple Music 即不传输
5	Spotify OAuth 授权码、access token、播放指令	Spotify AB	瑞典 / 欧盟	Spotify 播放	由 Spotify 按其隐私政策保留	单独同意	不连接 Spotify 即不传输
6	崩溃堆栈、面包屑、设备型号、OS 版本、应用版本（不含用户输入内容）	Functional Software, Inc.（Sentry）	美国 / 欧盟（按 DSN 路由）	稳定性诊断	Sentry 默认 90 天	单独同意（可关闭）	设置 → 隐私 → 崩溃诊断（关闭）
7	Sign in with Apple 鉴权过程数据（设备验证）	Apple Inc.	美国	账号身份验证	由 Apple 按其隐私政策保留	合同必需 + 单独同意	改用其他登录方式

3. 不出境的数据

账号信息、订阅、收藏、关注、聆听记录、客户端埋点事件 — 仅存储于中国大陆阿里云（华东1/华东2）
对象存储（OSS）资源 — 仅位于 oss-cn-shanghai
用户提交的昵称、评论 — 仅在阿里云内容安全 Green（中国大陆境内）审核
OpenAI / DeepSeek 调用 — 仅由后端发起，仅传输公开作品/艺术家信息，不传输用户个人信息
微信登录 / 微信支付 / 极光推送 / 支付宝 — 数据在中国大陆境内流转，不属于跨境

4. 接收方合规承诺概览

Apple Inc.：受美国及其全球分支隐私法律约束，公布 GDPR、CCPA、APEC CBPR 等合规框架；详见 apple.com/legal/privacy。
Google LLC：受 GDPR、CCPA 约束，发布 ISO/IEC 27001、27017、27018、SOC 2 合规报告；详见 policies.google.com/privacy。
Spotify AB：受 GDPR（欧盟主体）约束；详见 spotify.com 隐私政策。
Functional Software, Inc.（Sentry）：发布 SOC 2 Type II、ISO/IEC 27001；提供数据驻留区域选择；详见 sentry.io/privacy。

5. 安全保障

所有跨境传输均通过 TLS 1.2 及以上加密链路
仅传输完成功能所必需的最小信息（push token 不含用户身份；通知文案为我们自行生成的服务消息）
不进行用户画像跨境共享；不存在为广告归因目的的跨境传输

6. PIPL 阈值评估

根据国家网信办《个人信息出境标准合同办法》《数据出境安全评估办法》：

本公司非关键信息基础设施运营者
截至本清单更新日，本公司向境外提供个人信息累计未达到 100 万人；未达到 1 万人敏感个人信息；未达到自上年 1 月 1 日起向境外提供 10 万人个人信息或 1 万人敏感个人信息的强制安全评估阈值
因此目前依赖"取得个人单独同意 + 合同必需"作为出境合法性基础。当达到阈值时，我们将另行履行个人信息保护影响评估、安全评估申报或标准合同备案

7. 撤回同意

您可：

通过应用内"设置 — 账号 — 注销账号"撤回所有出境同意
通过关闭推送（系统设置）撤回 §2 第 1、2 项
通过断开 Apple Music / Spotify 连接撤回 §2 第 3、4、5 项
通过"设置 — 隐私 — 崩溃诊断"撤回 §2 第 6 项
通过改用其他登录方式撤回 §2 第 7 项

撤回不影响此前基于您同意已进行的处理。

查询：privacy@bwv988.com

Cross-Border Transfer Inventory

Last updated: May 20, 2026

PIPL Art. 39 separate consent: For users in mainland China, this Inventory together with §6 of the Privacy Policy constitutes the disclosure and separate consent required by PIPL Art. 39 for the cross-border transfer of your personal information. Accepting the Privacy Policy constitutes separate consent for the transfers listed below. You may withdraw consent by deleting your account or disabling the corresponding feature.

1. Overall posture

Our primary servers, user database, and object storage are located in mainland China (Alibaba Cloud East-1 Hangzhou / East-2 Shanghai). The vast majority of personal information is stored and processed entirely within mainland China. The transfers below are the minimum necessary to operate Apple, Google, Spotify, and Sentry functionality.

2. Recipient matrix

#	Data transferred	Recipient	Country	Purpose	Retention by recipient	Legal basis	Disable
1	APNs device token + payload (title, body, deeplink)	Apple Inc.	United States	iOS push delivery	Per Apple's policy	Contract necessity + separate consent	OS Settings → Notifications
2	FCM token + payload	Google LLC	United States	Android global push	Per Google's policy	Contract necessity + separate consent	Same
3	Apple Music storefront, query params	Apple Music Catalog API	United States	Album/track/artist metadata	Short-term Apple logs	Contract necessity + separate consent	Avoid playback / library features
4	MusicKit user token, playback/library actions	Apple Music	United States	Apple Music playback	Per Apple's policy	Contract necessity + separate consent	Do not connect Apple Music
5	Spotify OAuth code, access token, playback commands	Spotify AB	Sweden / EU	Spotify playback	Per Spotify's policy	Separate consent	Do not connect Spotify
6	Crash stack, breadcrumbs, device model, OS, app version (no user input)	Functional Software, Inc. (Sentry)	US / EU (per DSN)	Stability diagnostics	Sentry default 90 days	Separate consent (user-disableable)	Settings → Privacy → Crash Diagnostics
7	Sign in with Apple authentication signals	Apple Inc.	United States	Identity verification	Per Apple's policy	Contract necessity + separate consent	Use a different sign-in

3. Data that does NOT cross borders

Account info, subscriptions, favorites, follows, listening records, analytics events — stored only in mainland-China Alibaba Cloud
Object storage (OSS) — only in oss-cn-shanghai
Nicknames / comments moderation via Alibaba Content Safety (Green) — mainland China only
OpenAI / DeepSeek calls — initiated by server only; no end-user PII is transmitted, only public work/artist info
WeChat login / WeChat Pay / JPush / Alipay — data flows within mainland China only

4. Recipient compliance posture

Apple Inc.: published GDPR / CCPA / APEC CBPR commitments — apple.com/legal/privacy
Google LLC: ISO/IEC 27001, 27017, 27018; SOC 2 — policies.google.com/privacy
Spotify AB: GDPR (EU controller) — spotify.com privacy
Functional Software (Sentry): SOC 2 Type II, ISO/IEC 27001; data-residency selectable — sentry.io/privacy

5. Safeguards

All cross-border transfers via TLS 1.2+
Minimum necessary information (push tokens do not contain user identity; notification text is service-generated)
No cross-border sharing of user profiles; no cross-border advertising attribution

6. PIPL threshold check

Per the Cyberspace Administration of China's Standard Contract Measures and Data Outbound Security Assessment Measures:

We are not a Critical Information Infrastructure Operator
As of the last-updated date, our cumulative cross-border PI export has not reached 1,000,000 individuals, nor 10,000 individuals' sensitive PI, nor the 100,000-individual annual threshold for mandatory security assessment
We therefore rely on separate consent + contract necessity. When thresholds are met, we will conduct a Personal Information Protection Impact Assessment and submit either a security-assessment or standard-contract filing as required

7. Withdrawing consent

Delete account in-app: withdraws all consents
Disable notifications in OS Settings: withdraws #1, #2
Disconnect Apple Music / Spotify: withdraws #3, #4, #5
Settings → Privacy → Crash Diagnostics: withdraws #6
Switch to a different sign-in method: withdraws #7

Withdrawal does not affect processing already performed under prior consent.

8. For EU/UK users (GDPR Chapter V)

Our primary servers are located in mainland China. Transfers to recipients outside the EEA / UK rely on the following safeguards under GDPR Chapter V: contractual safeguards with the recipient where available; explicit consent under Art. 49(1)(a); transfer necessary for performance of the contract under Art. 49(1)(b). You may request additional information about the safeguards via privacy@bwv988.com.

Inquiries: privacy@bwv988.com